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UNITED STATES DISTRICT COURT 
EASTERN DISTRICT OF NEW YORK 


a ae ee x 
UNITED STATES OF AMERICA ORDER 

- against - O8-M-444 
ALBERT GONZALEZ, 

also known as 

“Segvec,” 

Defendant. 

a | 


Upon the application of BENTON J. CAMPBELL, United 
States Attorney for the Eastern District of New York, by 


Assistant United States Attorney WILLIAM P. CAMPOS, it is hereby 


pms 


ORDERED that the Affidavit In Support of Arrest Warrant 


in the above-captioned case be unsealed. 


Dated: Central Islip, New York 
May 12, 2008 
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UNITED STATES MAGISTRATE JUDGE 
EASTERN DISTRICT OF NEW YORK 


to do so, to transmit and cause to be transmitted, by means of 


(Title 18, United States Code, Section 1349) 
The basis for my information and the grounds for my 
ay 


been a Special Agent with the USSS for 
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approximately six (6) years. I have been assigned to the United 
States Secret Service Melville Resident Office for approximately 
four (4) years. My information in this case comes from 
conversations with other law enforcement officers, reports of 
other law enforcement officers, my review of various documents 
and records related to this investigation, and from my training 
and experience. 

a Where the contents of documents and the actions, 
statements, and conversations of others are reported herein, they 
are reported in substance and in part. 


Dave & Buster’s Intrusions 


revealed that, from approximately April through September of 


2007, GONZALEZ, together with Aleksandr Suvorov and Maksym 


could sell to others who, in turn, would either use the data to 


4, Dave & Buster’s, Inc. (D&B), is an American 


restaurant chain with 49 locations in the 


fe 
He) 


Jnited States. 


September 2007, D&B contacted the USSS about unauthorized 


computer intrusions that had occurred in their computer systems. 
D&B had discovered that one or more persons had accessed, without 
authorization, point-of-sale (POS#) computerx servers at some of 
D&B's restaurants. The POS computer servers were used to 
cransmit credit and debit card account data for D&B customers 
through the D&B corporate network to a third party data processor 
for authorization and verification. 

Des According to the forensic examination report of 
the intrusion provided by D&B and confirmed by the USSS, the 
first unauthorized access to a D&B POS computer server eccurred 
in April 2007, when someone used an Internet connection to 


remotely access a POS server at a D&B restaurant in Arundel, 


jH 


Maryland. That person unsuccessfully tried to install computer 


software, known as a MMpacket sniffer, on the D&B computer. A 


The packet sniffer that 


i co another networked computer 
the intruder attempted to install here was a piece of malicious 
software designed to collect credit and debit card account 

such information was 
server at the Arundel, Maryland 


corporate computer systems in 
third party data 


numbers and expiration dates when 
a 
and no 


transmitted from the POS computer 

restaurant location through D&B's 
Dallas, Texas to the computer systems of 

The packet sniffer malfunctioned, however 

or debit card account information was captured. 

report and confirmed 


rensic 


processor. 
D&B fo 


eredit 
6. Accor the 

May 18, 2007, the intruders accessed D&B's 
corporate computer network in Dallas, Texas without authorization 


USSS, onl! 
successfully installed the packet sniffer on POS 


11 D&B restaurants, including one in Islandia, New 
the 


ervers at 
York, in the Eastern District of New York. 
Specifically, on the Islandia POS server 


7. im 
sniffer functioned correctly and collected eredit and 
card account data for D&B customers who used their credit 
at the 


credit and 
computer 
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and debit cards to purchase food and other services 
fraudulent 


debit. 
Once the packet sniffer collected this 


restaurant 
or making 


e that could later be retrieved and used for 


debit card data, the packet sniffer stored the data 
sniffer was 


log 
purposes, such as creating counterfeit credit cards 
Additionally, the 


fraudulent credit card purchases. 


periodically reactivated because a defect in the packet s 
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software program caused the packet sniffer to automatically 
deactivate whenever the compromised D&B POS servers rebooted in 
che normal course of the operation of the servers. 

8. With respect to the Islandia D&B restaurant, the 
forensic examination report confirmed that the packet sniffer was 
actively collecting customers' credit and debit card account 
information during four time periods between May and September 
2007: (1) May 18 through June 6, 2007; (2) June 6 through June 9, 
2007; (3) July 23 through July 25, 2007; and (4) August 14 
through August 20, 2007. 

9. According to the D&B forensic report and confirmed 
by the USSS, on September 22, 2007, another attempt to access the 
Islandia POS server without authorization was made, but D&B had 
become aware of the previous intrusions by that time and had 
plocked the intruder from collecting any further credit and debit 
card data. 

10. Investigation has revealed that approximately 
5,100 MasterCard and Visa cards as well as 32 American Express 
cards were used in the D&B restaurant in Islandia during the time 
periods when the packet sniffer was actively collecting credit 
and debit card data. Further, 675 of these cards were 
subsequently used to make unauthorized purchases at various 
retail locations and from various online merchants worldwide, 
causing losses of at least $600,000 to the financial institutions 


chat issued the credit and debit cards. This investigation has 
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confirmed that these credit and debit card account numbers were 
stolen when they were used at the D&B restaurant in Islandia, New 
York, and not another merchant or retailer. 
nvidence Linking ICQ UIN 201679996 to the D&B Intrusion 

11. GONZALEZ was eventually determined to be the 
provider of the packet sniffer used in the computer intrusions 
described above based on his association with a Ukrainian 
citizen, by the name of Maksym Ystremskiy, who was one of the 
biggest resellers of stolen credit card data targeted by the 
USSS. 

12. In duly 2007, Yastremskiy was arrested in Turkey 
by the Turkish National Police. This arrest was based, in part, 


on charges of trafficking in stolen credit card numbers, brought 


13. Around the time of Yastremskiy's arrest, the 
Turkish National Police seized Yastremskiy's laptop computer and 
cellular phone. The Turkish National Police, then, provided an 
image of the computer, along with Yastremskiy's computer 
password, to the USSS. Through the forensic examination, the 
USSs recovered information from Yastremskiy's laptop that related 
to the intrusions into the D&B computers. Specifically, the USSS 
Found many stored ICQ instant messages sent over the Internet 
(referred to as Hichat logsit) on the laptop, millions of stolen 


credit card numbers, and a folder that contained a packet sniffer 


used in the D&B intrusions. 


14, ICQ is an instant messaging service, similar to 
AOL's instant messaging service, which identifies its users by 


numbers, called "UIN." ICQ conversations, or chats, can be 


logged (recorded) by their participants. 

15. The stored chat logs on Yastremskiy's laptop were 
essentially transcripts of instant messages between Yastremskiy 
and various associates. From these chat logs, the USSS was able 
to determine that Yastremskiy communicated with an individual 
using the UIN 201679996. The ICQ chat logs also reflect that the 
person using [CQ UIN 201679996 changed the ICQ UIN through which 
he was conmumieating with Maksik following news that one of the 


retailers that he (201679996) had compromised was uncovered and 


begin communicating with Maksik through ICQ UIN 476747. For 
simplicity and clarity, the IcQ UIN 201679996 is used throughout 
this Affidavit rather than switching between the two IcQ UINs. 
16. The logs obtained from Maksik indicate that ICQ 
UIN 201679996 took credit for supplying the packet sniffer to 
Maksik to pass on to a third party, later determined to be 
Aleksandr Suvorov, for use in the D&B intrusions. For example, 


Maksik and ICQ UIN 201679996 exchanged the following messages 


° Mav_15, 2007 (ICQ UIN 201679996 to Maksik): “btw, 
this plalce [sic] your guy hacked from-db.tar’ is: a 
very nice place, they have many LOCaELONS, i2E'S 
called Dave & Buster’s” 


° May 15, 2007 (Maksik to ICQ UIN 201679996): 
dpb is dave and busters:-)” 


2007 (Maksik to ICQ UIN 201679996 
now how danb is working, just need sniffe 
istening to port 10700 in/out:-) could y 
compile it:-) Thanks” 
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Mav_16, 2007 (ICQ UIN 201679996 to Maksik): 
ile it right now” 


° May_18, 2007 (ICQ UIN 201679996 to Ma ksik) 
your guy use or say anything about my sniffe 
dandb?” 


May 18, 2007 (Maks1l 
guy told me to teil 
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° May 24, 2007 
nN 


TCQ UIN 201679996 to Maksik): 
sent them sni er fo 


x dandb” 
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° Mav_30, 2007 (ICQ UIN 201679996 to Maksik): 


“did 


your guy give any info on how things are going on 


d and b? im curious if my sniffer work or no 


° May 30, 2007 (Maksik to ICQ UIN 201679996): 
sniffer he told me. what exactly you are 
interested in ? he says it seems its workin 
got 5gb log file” 


The USSS confirmed that the packet sniffer referred to int 


installed on D&B computer systems on May 18, 2007 


rack 2 cardholder information unt il it was detect 


at 
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sniffer program for Maksik's associate (Aleksandr Suvorov) to use 
in the D&B intrusion. An analyst at the Computer Emergency 
Response Team Coordinating Center (CERT-CC) has analyzed the 


sniffers found on Retailer One’s and Dave & Buster's systems. He 
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has confirmed that they appear to be two different versions of 
the same program and that in his experience, this underlying 


program is unique. The core sniffer program, according to the 


oa ww 


CERT analyst, is @fiicient; well designed, and uses some 


knowledge of computer rogramming skills, whether acquired 


ue) 


through self-study or, as he believed more likely, througn formal 
training. 


Evidence Linking ICQ UIN 201679996 to GONZALEZ 


BK 


18. Evidence described below strongly links the use 
of ICQ UIN 201679996 to GONZALEZ. 
19. As stated above, in the Maksik logs, TCO UIN 


201679996 took credit for having had a "sniffer" program 


obtained by Secret Service in a separate investigation, cnis: IP 


201679996, and in turn, 


ot 


nicknames have been linked to the ICQ UTI) 


to GONZALEZ. ICQ UIN 201679996 was originally registered with 


21. In a March 9, 2006 chat logged on Maksik's hard 
drive, ICQ UIN 201679996 expressed concern that a friend who was 


cashing cards for him had been arrested the day before. CS~-1, 


hh 


who reported that he had been cashing cards for GONZALEZ, was 
arrested on March 8, 2006, the day before. 


22. CS-1 stated, during a law-enforcement interview, 


a 


2 GONZALEZ was arrested in July, 2003, for access device 


fraud. Agents seized numerous computers from Gonzalez at the 
time of his arrest in 2003. On one of these computers were logs 
of Internet relay chat conversations in which he had participated 
three years earlier in 2000 (Internet relay chat is the 
electronic equivalent of a conference call.) During the chat, 
Gonzalez, using the screen name “soupnagi ..” 
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prior to CS-1's arrest, Maksik's ICQ chat logs contain 


negotiations between ICQ UIN 201679996 and Maksik about Maksik's 
obtaining for ICQ UIN 201679996 a passport from either the 


On March 9, 2006, ICQ UIN 201679996 identified the person for 
btain the Netherlands passport as being 


peen arrested; as stated above, CS-1 was 
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23. During the course of their business dealings, 


Maksik's ICQ logs also reflect ICQ UIN 201679996 directing Maksik 


proceeds of fraudulently 


ct 
o) 
= 
j- 
hy 
O) 
i 
Q 
1© 
G 
et 
Zz 
PhO 
(ap) 
jo 
Or 
~] 
LO 
<9) 
LO 
OY 
~—n 
tA 
ay 
a) 
kK 
(0) 
Oo 
Fh 
ct 
a 
@ 


obtained card information to a bank account in Latvia. GONZALEZ 
similarly directed CS-1 to wire GONZALEZ’ share of the proceeds 
carding to bank accounts in Latvia on at least two occasions. 
24, Following the announcement of the discovery of the 
Retailer One breach, the registration of ICQ UI} 201679996 was 
changed from soupnazi@efnet.ru (known to be used by GONZALEZ) to 


segvec@fromru.com. Records pertaining to E-gold, Lid., a company 


issuing an internet currency called “e-gold,” contain a 


cransaction from an e-gold account also registered to the e-mail 
address segvec@fromru.com to SIA Ekosistems in Latvia. CS-l was 
similarly directed by GONZALES to wire carding proceeds to the 


“segvec” by Confidential Source 2 (“CS=-2"), who stated, during a 
law-enforcement interview, that GONZALEZ has admitted to him that 
he (GONZALEZ) uses the Internet nicknames “soupnazi” and 


“segvec”, among others. CS-2 also stated during the interview 


breaches of large businesses. 
26. Maksik's chat logs also link ICQ UIN 201679996 to 
segvec”. Maksik used the nickname 


ecasions when referring directly or 
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indirectly to the user of ICQ UIN 201679996. On October 20, 


2006, Maksik stated that one of his friends was told he could 


cardholders use to prevent unauthorized transactions, and which 


credit or debit card information) from “segvec.” In response, 


the user of ICQ UIN 201679996 states "funny cuz T dont have 


of ICQ UIN 201679996 were discussing a published article on 
recent seizures of e-gold accounts, including Segvec’s account, 
by the U.S. government. ICQ UIN 201679996 states that "they 


mention specific shit in the article [...] about my operations 


Court issue warrant for the arrest of defendant ALBERT GONZALEZ 
so that he may be dealt with according to law Because this 
investigation is ongoing, I respectfully request that this 


A 
UNITED STATES MAGISTRATE JUDGE 
FASTERN DISTRICT OF NEW YORK 
The affidavit shall be filed under seal and remain 
under seal until further order of the Court. 
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UNITED STATES MAGISTRATE JUDGE 
EASTERN DISTRICT OF NEW YORK 


AO 442 (Rev. 12/85) Warrant for Arrest 


United States District Court 


EASTERN DISTRICT OF NEW_ YORK 


UNITED STATES OF AMERICA 


V. WARRANT FOR ARREST 
CASE NUMBER: 
ALBERT GONZALEZ, 
also known as "segvec" 


To: Special Agent Matthew Lynch, United States Secret Service 
and any Authorized United States Officer 


YOU ARE HEREBY COMMANDED to arrest ALBERT GONZALEZ 


Name 


and bring him forthwith to the nearest magistrate to answer a(n) 

G Indictment ciInformation Complaint © Order of court © Violation Notice © Probation Violation Petition 
charging him with (pref description of offense) 

conspiracy to commit wire fraud 


in violation of Title 18. United States Code, Section(s) 1349 


Hon. Michael L. Orenstein UNITED STATES MAGISTRATE JUDGE 
Name of Issuing Officer n Title of Issuing Officer 
Dadh) L (zs 
fhA nee May 8, 2008 Central Islip, New York 
Signature of Issuing officer — Date and Location 
Bail fixed at $ by 


Name of Judicial Officer 


RETURN 


This warrant was received and executed with the arrest of the above-named defendant at 


DATE RECEIVED NAME AND TITLE OF ARRESTING OFFICER SIGNATURE OF ARRESTING OFFICER 


| DATE OF ARREST 


